The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,227 other subscribers

Some notes on changing and checking bind DNS entries

Posted by jpluimers on 2023/01/09

DNS isn’t based on propagation, but on (cache) expiry. Which means it is all about TTL (Time to Live), and since humans are bad at coping with caching (remember the post There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors?), I needed some DNS refresh.

The time values in seconds of SOA (Start of Authority) and TTL record entries are always a pain, so hopefully this helps some:

Some TTL recommendations of the DNS SOA record via [Wayback/Archive] dns soa ttl best practice – Google Search and [Wayback/Archive] dns recommended ttl values – Google Search:

I’d rather have a good route for unplanned DNS changes (as in the past, quite a few were about those), so I settled for 3600 seconds (1 hour), but might go down to 600 seconds (10 minutes).

Checking DNS entries

Changing DNS entries

Some information on the DNS “master” files (which contain the RR or “resource records”) from [Wayback/] RFC1035: domain names – implementation and specification and [Wayback/Archive] RFC2308: Negative Caching of DNS Queries (DNS NCACHE), as keep forgetting them.

Both RFCs together specify that these line entries are defined (i.e. can be valid):

    $ORIGIN <domain-name> [<comment>]
    $INCLUDE <file-name> [<domain-name>] [<comment>]
    <domain-name><rr> [<comment>]
    <blank><rr> [<comment>]

and that these are the valid <rr> or resource record formats:

    [<TTL>] [<class>] <type> <RDATA>
    [<class>] [<TTL>] <type> <RDATA>

If you do a DNS zone transfer – Wikipedia (often abbreviated to the DNS query type AXFR), then these entries always are single line with fields expanded, with each always having an absolute <domain name> entry ending in a dot (.), and read like this:

<domain name> TTL <class> <type> <RDATA>

From the specific RFCs:

  • RFC 1035 section 3.2.4: CLASS values
  • RFC 1035 section 5.1: master files – format
    • White space to separate items on a line can be spaces or tabs
    • Comments start with semi-colon (;), which means that hashes (#) or double-slashes (//) won’t work and are syntax errors (the above mentioned tool named-checkzone can help you figure out those syntax errors).
    • There are line entries for blank, $ORIGIN, $INCLUDE, and resource record.
    • A line entry starting with $ORIGIN defines the current origin to be used from then on. Without such entry, he default origin can be defined through a parameter when loading the master file (see the Zone file: localhost example file)
    • Resource record line entries can start with:
      • @ to use the current origin as domain name.
      • a specified <domain-name> to denote the domain name to be used
      • no <domain-name> indicating the previous domain name to be used
    • A <domain-name> can be absolute ending in a dot (.)), or relative (in which case the origin is appended).
    • No <TTL> or  no <class> value means to use the previous TTL or class values to be used.
    • One resource record entry per line, unless you put parenthesis, then you can wrap it over multiple lines, which can be convenient for SOA record like this:
      @               IN      SOA (
                              2021112201 ; serial
                              3600 ; refresh every 1 hour
                              120 ; retry every 2 minutes
                              1209600 ; expire in 2 weeks
                              10800 ; now is 3 hours (see RFC2308) used to be 2 days: 172800 ; default_ttl
  • RFC2308 section 4: SOA Minimum Field
    • The $TTL line entry defining the default TTL to be used from then on (similar to $ORIGIN )

There is more (like encoding of domain names, more resource record types, and domain name length limitations), but those go beyond this blog post.

Examples on Wikipedia

Zone file: Example file is great:

$ORIGIN     ; designates the start of this zone file in the namespace
$TTL 3600                ; default expiration time (in seconds) of all RRs without their own TTL value  IN  SOA ( 2020091025 7200 3600 1209600 3600 )  IN  NS    ns                    ; is a nameserver for  IN  NS    ns.somewhere.example. ; ns.somewhere.example is a backup nameserver for  IN  MX    10  ; is the mailserver for
@             IN  MX    20 ; equivalent to above line, "@" represents zone origin
@             IN  MX    50 mail3              ; equivalent to above line, but using a relative host name  IN  A             ; IPv4 address for
              IN  AAAA  2001:db8:10::1        ; IPv6 address for
ns            IN  A             ; IPv4 address for
              IN  AAAA  2001:db8:10::2        ; IPv6 address for
www           IN  CNAME          ; is an alias for
wwwtest       IN  CNAME www                   ; is another alias for
mail          IN  A             ; IPv4 address for
mail2         IN  A             ; IPv4 address for
mail3         IN  A             ; IPv4 address for

as well as the examples at Zone file: Localhost:

An example for manual configuration of the forward zone for localhost is the following:

$ORIGIN localhost.
@  86400  IN  SOA   @  root (
                  1999010100 ; serial
                       10800 ; refresh (3 hours)
                         900 ; retry (15 minutes)
                      604800 ; expire (1 week)
                       86400 ; minimum (1 day)
@  86400  IN  NS    @
@  86400  IN  A
@  86400  IN  AAAA  ::1

The corresponding reverse zone definition is:

;; reverse zone file for and ::1
$TTL 1814400 ; 3 weeks
@  1814400  IN  SOA     localhost. root.localhost.  (
                      1999010100 ; serial
                           10800 ; refresh (3 hours)
                             900 ; retry (15 minutes)
                          604800 ; expire (1 week)
                           86400 ; minimum (1 day)
@  1814400  IN  NS      localhost.
1  1814400  IN  PTR     localhost.

This file does not specify the origin so that it may be used for both IPv4 and IPv6 with this configuration:

zone ""  IN {
                                type master;
                                file "r.local";
zone ""  IN {
                                type master;
                                file "r.local";

Similar zone master files may be created for the reverse resolution of the broadcast address and the null address. Such zone files prevent a DNS server from referring to other, possibly external DNS servers.


OpenSuSE: the relation between /etc/var/named.d and /var/lib/named


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: